[Fwd: Re: Shortcuts to counting rules?]

[Fwd: Re: Shortcuts to counting rules?]

[Rick Jones]

Over in netfilter it was suggested I might ask the question(s) below in 
netfilter-devel.  I'd point at a archive for the base message and 
remainder of the thread but:

http://vger.kernel.org/vger-lists.html#netfilter

doesn't indicate one.  The end goal here is to teach netperf how to get 
a count of iptables rules in place in the kernel.  There was also a 
drifting question of whether or not strace should be taught about the 
getsockopt() options.

thanks,

rick jones

-------- Original Message --------
Subject: Re: Shortcuts to counting rules?
Date: Thu, 30 Oct 2008 18:26:02 -0700
From: Rick Jones <rick.jones2@hp.com>
To: netfilter@vger.kernel.org
CC: Philip Craig <philipc@snapgear.com>
References: <4908FDE9.7040006@hp.com>	<49090A3D.40102@snapgear.com> 
<4909E386.1000405@hp.com>	<490A0117.4090501@hp.com>

Rick Jones wrote:
> Rick Jones wrote:
> 
>> Philip Craig wrote:
>>
>>> The getsockopt() calls are part of the linux ABI.  Using them is safe.
>>> You just need to make sure you handle the case that they aren't
>>> implemented.
>>
>>
>>
>> Time to go find their documentation then I suppose.
> 
> 
> Looks like struct ipt_getinfo and ip6t_getinfo are only in header files 
> that come with "iptables-dev?"

Having found linux/netfilter_ipv4/ip_tables.h and its ipv6 counterpart,
I will confess to having an Emily Litella moment with the above.

In messing about further and at the risk of yet another emily litella
moment (I have no pride when I'm trying to learn something new :) with
what the getsockopt(IPT_SO_GET_INFO) returns vs what I get by iterating
with libiptc calls, I take it that I cannot just use num_entries from
ipt_getinfo but have to retrieve the entries and run through them
skipping over chain entries?

tardy:~/iptables-1.4.1.1# cc -o fw_count
fw_count.ctardy:~/iptables-1.4.1.1# ./fw_count
name is mangle valid is 1f num is 6 size is 916
name is nat valid is 19 num is 4 size is 620
name is filter valid is e num is 4 size is 620
firewalltype is 1, rulecount 14
tardy:~/iptables-1.4.1.1# cc -DHAVE_IT_ALL -Iinclude -Llibiptc -o
fw_count fw_count.c -liptc
tardy:~/iptables-1.4.1.1# ./fw_count
chain count 5
chain count 3
chain count 3
firewalltype is 1, rulecount 0

The "tardy" system has no rules defined, and there are five chains for
mangle and three each for nat and filter, but that leaves me with one -
is that expected?

tardy:~/iptables-1.4.1.1# cat fw_count.c
#if defined(HAVE_LIBIPTC_H) && defined(HAVE_IPTABLES_H) &&
defined(HAVE_LIBIPTC)
#define HAVE_IT_ALL
#endif

#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#if defined(HAVE_IT_ALL)
#include "libiptc/libiptc.h"
#include "iptables.h"
#else
/* seems linux/netfilter_ipv4/ip_tables.h needs IFNAMSIZ and does not get
  * it on its own */
#include <net/if.h>
#include <linux/netfilter_ipv4/ip_tables.h>
/* need to consider IPv6 here at some point */
#endif

#define NETFW_UNKNOWN -1
#define NETFW_IPTABLES 1


#if defined(HAVE_IT_ALL)
static int
count_rules(iptc_handle_t *messiah) {

         const char *chain;
         const struct ipt_entry *rule;
         int count = 0;
         int chain_count = 0;
         chain = iptc_first_chain(messiah);
         while (chain) {
                 chain_count++;
                 rule = iptc_first_rule(chain,messiah);
                 while (rule) {
                         count++;
                         rule = iptc_next_rule(rule,messiah);
                 }
                 chain = iptc_next_chain(messiah);
         }
         printf("chain count %d\n",chain_count);
         return count;
}
#else
static int
count_rules(char *table) {

         struct ipt_getinfo info;

         static int sock = -1;;
         int len = sizeof(info);

         if (-1 == sock)
                 sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
         strncpy(info.name,table,IPT_TABLE_MAXNAMELEN);
         info.name[IPT_TABLE_MAXNAMELEN-1] = '\0';

         getsockopt(sock,SOL_IP,IPT_SO_GET_INFO,&info,&len);

         printf("name is %s valid is %x num is %d size is %d\n",
                 info.name,
                 info.valid_hooks,
                 info.num_entries,
                 info.size);

         return info.num_entries;
}

#endif


void
get_firewall_info(int *firewalltype, int *rulecount) {

#if defined(HAVE_IT_ALL)
         iptc_handle_t messiah;  /* handles, always handles */
#endif

         FILE *namesfile = NULL;
         char tablename[IPT_TABLE_MAXNAMELEN + 1];
         int mycount = 0;
         *firewalltype = NETFW_IPTABLES;
         *rulecount = -1;


         namesfile = fopen("/proc/net/ip_tables_names","r");
         if (!namesfile)
                 return;

         while (fgets(tablename,
                      sizeof(tablename),
                      namesfile)) {
                 /* no end of line is bad */
                 if (tablename[strlen(tablename) - 1] != '\n') {
                         /* we want to signal the problem somehow */
                         /* so set the rulecount to -1 always here */
                         *rulecount = -1;
                         return;
                 }
                 /* but we dont want to have one in our calls */
                 tablename[strlen(tablename) - 1] = '\0';
#if defined(HAVE_IT_ALL)
                 messiah = iptc_init(tablename);
                 mycount += count_rules(&messiah);
                 iptc_free(&messiah);
#else
                 mycount += count_rules(tablename);
#endif
         }
         *rulecount = mycount;
}

int
main(int argc, char *argv[]) {

         int firewalltype,rulecount;

         get_firewall_info(&firewalltype,&rulecount);
         printf("firewalltype is %d, rulecount
%d\n",firewalltype,rulecount);

         return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Fwd: Re: Shortcuts to counting rules?]

[Jan Engelhardt]

On Friday 2008-10-31 18:57, Rick Jones wrote:

> The end goal here is to teach netperf how to get a count of
> iptables rules in place in the kernel.  There was also a drifting
> question of whether or not strace should be taught about the
> getsockopt() options.

iptables-save | grep ^- | wc -l

And strace should not be taught that. We have seen at least one
change of the interpretation of the binary stream.

Re: [Fwd: Re: Shortcuts to counting rules?]

[Rick Jones]

Jan Engelhardt wrote:
> On Friday 2008-10-31 18:57, Rick Jones wrote:
> 
> 
>>The end goal here is to teach netperf how to get a count of
>>iptables rules in place in the kernel.  There was also a drifting
>>question of whether or not strace should be taught about the
>>getsockopt() options.
> 
> 
> iptables-save | grep ^- | wc -l

Here is where I cop to being a luddite who prefers straight C to calling 
system() :)

> And strace should not be taught that. We have seen at least one
> change of the interpretation of the binary stream.

How about at least the option name(s) so it can present something other 
than the 0x40/0x41 etc?

rick jones

Re: [Fwd: Re: Shortcuts to counting rules?]

[Jan Engelhardt]

On Friday 2008-10-31 19:54, Rick Jones wrote:
>> 
>> iptables-save | grep ^- | wc -l
>
> Here is where I cop to being a luddite who prefers straight C to calling
> system() :)

But there is no C library. And libiptc is so strongly internal that
it does not fall under libraries-to-use.

>> And strace should not be taught that. We have seen at least one
>> change of the interpretation of the binary stream.
>
> How about at least the option name(s) so it can present something other than
> the 0x40/0x41 etc?

I do not mind that. Turn to the strace maintainer about getting that
implemented.

Re: [Fwd: Re: Shortcuts to counting rules?]

[Rick Jones]

Jan Engelhardt wrote:
> On Friday 2008-10-31 19:54, Rick Jones wrote:
> 
>>>iptables-save | grep ^- | wc -l
>>
>>Here is where I cop to being a luddite who prefers straight C to calling
>>system() :)
> 
> 
> But there is no C library. And libiptc is so strongly internal that
> it does not fall under libraries-to-use.

I'm willing to code without a library, I just need to know how to parse 
the set of entries I suspect.

Someone in netfilter suggested the getsockopt() calls were part of the 
ABI, which implies what the getsockopt() calls return is reasonably 
"stable."  Is that actually the case, or can one not even ass-u-me the 
getsockopt() calls themselves are stable?

>>>And strace should not be taught that. We have seen at least one
>>>change of the interpretation of the binary stream.
>>
>>How about at least the option name(s) so it can present something other than
>>the 0x40/0x41 etc?
> 
> 
> I do not mind that. Turn to the strace maintainer about getting that
> implemented.

Will do.

rick jones

Re: [Fwd: Re: Shortcuts to counting rules?]

[Jesper Dangaard Brouer]

On Sat, 1 Nov 2008, Jan Engelhardt wrote:

> On Friday 2008-10-31 19:54, Rick Jones wrote:
>>>
>>> iptables-save | grep ^- | wc -l
>>
>> Here is where I cop to being a luddite who prefers straight C to calling
>> system() :)
>
> But there is no C library. And libiptc is so strongly internal that
> it does not fall under libraries-to-use.

I don't see why not to use libiptc.  Its been one of the most stable / 
less-changed through the years...

I'm using libiptc quite extensivly in IPTables::libiptc Perl CPAN module.

Hilsen
   Jesper Brouer

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------

Re: [Fwd: Re: Shortcuts to counting rules?]

[Rick Jones]

Jesper Dangaard Brouer wrote:
> On Sat, 1 Nov 2008, Jan Engelhardt wrote:
> 
>> On Friday 2008-10-31 19:54, Rick Jones wrote:
>>
>>>>
>>>> iptables-save | grep ^- | wc -l
>>>
>>>
>>> Here is where I cop to being a luddite who prefers straight C to calling
>>> system() :)
>>
>>
>> But there is no C library. And libiptc is so strongly internal that
>> it does not fall under libraries-to-use.
> 
> 
> I don't see why not to use libiptc.  Its been one of the most stable / 
> less-changed through the years...

I wouldn't mind using libiptc, but it seems to be something the 
maintainers don't want mere mortals using.  Also, and perhaps as a 
result, it isn't entirely clear that even installing an iptables-dev 
package (on which I'd rather not have netperf rely if I can avoid it) 
actually gives a libiptc everywhere.

That leaves deciphering at least some of what the existing libiptc code 
does and mimmicing it in netperf :(

rick jones

> 
> I'm using libiptc quite extensivly in IPTables::libiptc Perl CPAN module.
> 
> Hilsen
>   Jesper Brouer
> 
> -- 
> -------------------------------------------------------------------
> MSc. Master of Computer Science
> Dept. of Computer Science, University of Copenhagen
> Author of http://www.adsl-optimizer.dk
> -------------------------------------------------------------------
> -- 
> To unsubscribe from this list: send the line "unsubscribe 
> netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Fwd: Re: Shortcuts to counting rules?]

[Jesper Dangaard Brouer]

>>  On Friday 2008-10-31 19:54, Rick Jones wrote:
>> > 
>> >  Here is where I cop to being a luddite who prefers straight C to calling
>> >  system() :)

Using libiptc, here is the C-program you need:

--- cut here ---
#include <stdio.h>
#include <libiptc/libiptc.h>

main(int argc, char *argv[])
{
 	char *table = "filter";
 	const char             *chain;
 	const struct ipt_entry *rule;
 	iptc_handle_t handle = NULL;
 	unsigned int num_chains = 0;
 	unsigned int num_rules  = 0;

 	handle = iptc_init(table);
 	//dump_entries(handle);

 	chain = iptc_first_chain(&handle);
 	while (chain) {
 		//printf("Chain:%s\n", chain);
 		num_chains++;

 		rule = iptc_first_rule(chain, &handle);
 		while (rule) {
 			num_rules++;
 			rule = iptc_next_rule(rule, &handle);
 		}
 		//printf("Rules so far:%u\n", num_rules);

 		chain = iptc_next_chain(&handle);
 	}

 	printf("Number of chains:%u\n", num_chains);
 	printf("Number of rules:%u\n", num_rules);
}
--- cut here ---

~/git/iptables$  gcc count.c -o count libiptc/libiptc.a  -I./include

Cheers,
   Jesper Brouer

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------

Re: [Fwd: Re: Shortcuts to counting rules?]

[Rick Jones]

Jesper Dangaard Brouer wrote:
> 
>>>  On Friday 2008-10-31 19:54, Rick Jones wrote:
>>> > >  Here is where I cop to being a luddite who prefers straight C to 
>>> calling
>>> >  system() :)
> 
> 
> Using libiptc, here is the C-program you need:
> 
> --- cut here ---
> #include <stdio.h>
> #include <libiptc/libiptc.h>
> 
> main(int argc, char *argv[])
> {
>     char *table = "filter";
>     const char             *chain;
>     const struct ipt_entry *rule;
>     iptc_handle_t handle = NULL;
>     unsigned int num_chains = 0;
>     unsigned int num_rules  = 0;
> 
>     handle = iptc_init(table);
>     //dump_entries(handle);
> 
>     chain = iptc_first_chain(&handle);
>     while (chain) {
>         //printf("Chain:%s\n", chain);
>         num_chains++;
> 
>         rule = iptc_first_rule(chain, &handle);
>         while (rule) {
>             num_rules++;
>             rule = iptc_next_rule(rule, &handle);
>         }
>         //printf("Rules so far:%u\n", num_rules);
> 
>         chain = iptc_next_chain(&handle);
>     }
> 
>     printf("Number of chains:%u\n", num_chains);
>     printf("Number of rules:%u\n", num_rules);
> }
> --- cut here ---
> 

Thanks - indeed I have code very much like that already in my initial 
prototype.  Biggest difference is I check every table listed under 
/proc/net/mumble :)  I'm still trying to decipher what the parsing code 
in libiptc is doing so see how much work it would be for me to create 
braindead rule counting code.

I could I suppose just drop back and not worry about counting rules per 
se, but just arriving at a rules vs no rules decision somehow.

rick jones

Re: [Fwd: Re: Shortcuts to counting rules?]

[Jan Engelhardt]

On Wednesday 2008-11-05 19:25, Jesper Dangaard Brouer wrote:
> On Sat, 1 Nov 2008, Jan Engelhardt wrote:
>> On Friday 2008-10-31 19:54, Rick Jones wrote:
>> > >
>> > > iptables-save | grep ^- | wc -l
>> >
>> > Here is where I cop to being a luddite who prefers straight C to calling
>> > system() :)
>>
>> But there is no C library. And libiptc is so strongly internal that
>> it does not fall under libraries-to-use.
>
> I don't see why not to use libiptc.  Its been one of the most stable /
> less-changed through the years...
>
> I'm using libiptc quite extensivly in IPTables::libiptc Perl CPAN module.

Hm yeah. The API might be ok, but the source is ugly. Hence
the recent slew of patches. I'm still thinking how to pull
this off so that it gets even less ugly, less big (it is
essentially compiled twice), and then make it available
as a standard library.

Re: [Fwd: Re: Shortcuts to counting rules?]

[Jesper Dangaard Brouer]

On Fri, 7 Nov 2008, Jan Engelhardt wrote:

> On Wednesday 2008-11-05 19:25, Jesper Dangaard Brouer wrote:
>> On Sat, 1 Nov 2008, Jan Engelhardt wrote:
>>> On Friday 2008-10-31 19:54, Rick Jones wrote:
>>>>>
>>>>> iptables-save | grep ^- | wc -l
>>>>
>>>> Here is where I cop to being a luddite who prefers straight C to calling
>>>> system() :)
>>>
>>> But there is no C library. And libiptc is so strongly internal that
>>> it does not fall under libraries-to-use.
>>
>> I don't see why not to use libiptc.  Its been one of the most stable /
>> less-changed through the years...
>>
>> I'm using libiptc quite extensivly in IPTables::libiptc Perl CPAN module.
>
> Hm yeah. The API might be ok, but the source is ugly. Hence
> the recent slew of patches. I'm still thinking how to pull
> this off so that it gets even less ugly, less big (it is
> essentially compiled twice), and then make it available
> as a standard library.

I would really like if we could make it available as a standard library, 
preferably a dynamic .so lib.  Just like you have recently done with 
libxtables.so.

That would make it easier to make libraries like my IPTables::libiptc Perl 
CPAN module.

Hilsen
   Jesper Brouer

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------

Re: [Fwd: Re: Shortcuts to counting rules?]

[Philip Craig]

Jan Engelhardt wrote:
> And strace should not be taught that. We have seen at least one
> change of the interpretation of the binary stream.

Are you saying I can't use an old iptables binary with a new kernel?

Re: [Fwd: Re: Shortcuts to counting rules?]

[Jan Engelhardt]

On Tuesday 2008-11-04 01:41, Philip Craig wrote:
>Jan Engelhardt wrote:
>> And strace should not be taught that. We have seen at least one
>> change of the interpretation of the binary stream.
>
>Are you saying I can't use an old iptables binary with a new kernel?
>
You can, but there is a corner case where you cannot, right, and that is 
when your extension's name is 31/32 characets long. Which was deemed so 
unlikely that the change actually occurred.